Keep your dependencies in check

Transcript

1. Keep your dependencies in check All Day DevOps on Tour:

   Malmö Edition - Nov 8, 2023 https://maritvandijk.com/ @MaritvanDijk77

2. @MaritvanDijk77

3. @MaritvanDijk77

4. @MaritvanDijk77

5. @MaritvanDijk77

6. Dec. 2021 @MaritvanDijk77

7. @MaritvanDijk77

8. @MaritvanDijk77

9. @MaritvanDijk77

10. March 2022 @MaritvanDijk77

11. @MaritvanDijk77

12. @MaritvanDijk77 Do we need this dependency? https://maritvandijk.com/selecting-dependencies/

13. @MaritvanDijk77 https://www.sonatype.com/resources/log4j-vulnerability-resource-center

14. No dependencies @MaritvanDijk77 Maintain dependencies

15. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

16. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

17. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

18. Maven • Analyze dependencies: `mvn dependency:analyze` @MaritvanDijk77

19. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

20. Gradle • Check for updates: • Add plugin, e.g. gradle-versions-plugin

    • Run `./gradlew dependencyUpdates` @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin

21. Gradle • Analyze dependencies • Add plugin (e.g. nebula) @MaritvanDijk77

    https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

22. Gradle • Analyze dependencies • Add plugin (e.g. nebula) •

    Run `./gradlew fixGradleLint` @MaritvanDijk77 https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

23. IntelliJ IDEA: View Dependencies @MaritvanDijk77

24. IntelliJ IDEA: View Dependencies @MaritvanDijk77

25. IntelliJ IDEA: View Dependencies @MaritvanDijk77

26. IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

27. IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

28. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

29. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

30. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

31. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

32. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

33. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

34. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

35. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

36. IntelliJ IDEA: Update dependencies • Context Actions (⌥ ⏎ or

    Alt+Enter) @MaritvanDijk77

37. IntelliJ IDEA: Update dependencies • Hover @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-analysis.html

38. IntelliJ IDEA • Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

39. IntelliJ IDEA • Dependencies tool window (search) @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

40. IntelliJ IDEA https://www.jetbrains.com/help/idea/package-analysis.html @MaritvanDijk77

41. Pros & Cons + Check dependencies while working on the

    project - Check out each individual project - Apply & verify updates @MaritvanDijk77

42. Software Composition Analysis (SCA) • Scan all repos (and containers)

    • Overview @MaritvanDijk77

43. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77

44. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

45. Features @MaritvanDijk77 Dependabot Renovate Snyk Open source Alerts Y Security

    Updates Y Y Y Version Updates Y (with extra config) Y Y Dashboard Y Y Check PRs for vulnerable dependencies Y Scan code for vulnerabilities Y

46. Options @MaritvanDijk77 Dependabot Renovate Snyk Open source Repos All All

    vs. selected only Public only vs. public & private (can disable for repo) Scheduling Daily / Weekly / Never Very detailed (presets, cron syntax, ..) Daily / Weekly / Never Info in PR Severity metrics Adoption rate % passing tests Confidence level Severity Breaking change Known Exploits Max. nr. of PRs Y (default 5) Y and concurrent branches New and/or known vulnerabilities Bundle updates in PR Y (with config) Y (by default) Rebase strategy Y Y TODO Rule-based automerge Y Check PRs Y

47. Platforms @MaritvanDijk77 Dependabot Renovate Snyk Open source GitHub native GitHub.com

    GitHub Enterprise Server GitHub GitHub Enterprise GitHub Read-only projects GitLab (with config) GitLab.com GitLab CE/EE GitLab Bitbucket Cloud Bitbucket Server Bitbucket Cloud Personal Access Token (Legacy) Bitbucket Cloud App Bitbucket Data Center/Server Azure DevOps Azure (TFS) Repos AWS CodeCommit Gitea and Forgejo

48. Dependabot security alerts @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

49. Dependabot security updates @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

50. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

51. Renovate Dashboard: Project @MaritvanDijk77

52. Snyk PR @MaritvanDijk77

53. Snyk dashboard @MaritvanDijk77

54. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

55. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - Do NOT update your code (if needed) @MaritvanDijk77

56. Migration tools @MaritvanDijk77

57. IntelliJ IDEA • Refactor > Migrate Packages and Classes @MaritvanDijk77

    https://www.jetbrains.com/help/idea/migrate.html

58. IntelliJ IDEA • Refactor > Migrate Packages and Classes >

    • Java EE to Jakarta EE • JUnit (4.x -> 5.0) • JavaFX (8 -> 9) @MaritvanDijk77 https://www.jetbrains.com/help/idea/migrate.html

59. IntelliJ IDEA • Create New Migration @MaritvanDijk77

60. IntelliJ IDEA • Create New Migration @MaritvanDijk77

61. Error Prone • Static analysis tool for Java to catch

    common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/

62. Error Prone @MaritvanDijk77 https://www.youtube.com/watch?v=NPuLeoIzIR0

63. Error Prone Support @MaritvanDijk77 https://error-prone.picnic.tech/

64. OpenRewrite • Source code refactoring for framework/API migrations, vulnerability patches,

    and static code analysis fixes • Java, Kotlin & Groovy support • Maven/Gradle • Run without a build tool • Early support for Python, Typescript, ... @MaritvanDijk77 https://docs.openrewrite.org/

65. OpenRewrite • Existing recipes • Upgrade versions • Migrate libraries

    • Fix static analysis issues @MaritvanDijk77 https://docs.openrewrite.org/running-recipes/popular-recipe-guides

66. OpenRewrite • Existing recipes • Find by topic @MaritvanDijk77 https://docs.openrewrite.org/reference/recipes

67. OpenRewrite • Existing recipes • Can author your own recipes

    @MaritvanDijk77 https://docs.openrewrite.org/

68. OpenRewrite @MaritvanDijk77 https://www.youtube.com/watch?v=jOFfCAleUI8

69. Conclusion •(Re)evaluate dependencies carefully •Automate checks & updates •Stay safe!

    @MaritvanDijk77

70. Slides & More https://maritvandijk.com/presentations/keep-your-dependencies-in-check/ @MaritvanDijk77